Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

Good on Best Buy for dropping Kaspersky. Although I’d love to see a bit more evidence coming out of the U.S. intelligence community (as I fear a backlash on U.S. products from Russia), what I really want to see is Best Buy and other companies drop a whole lot more products for poor security.

While we don’t really know why we shouldn’t trust Kaspersky, we do know why we shouldn’t trust D-Link. Their products include so many security flaws that the general advice from security experts who have looked at them is not to buy them.

Yet when I went on Amazon to buy a new router recently, there was a D-Link router and Amazon was doing everything it could to make me want to purchase it. It was cheap ($59.99); it was Prime eligible; it got four stars from other customers. Not thinking about whether it was secure, I purchased it.

It was only when I got into the administrative console that warning bells started to go off. “By default, your new D-Link device does not have a password configured for administrator access to the web-based configuration utility,” are words that no one ever should write. Then the web-based configuration utility informed me that passwords needed to be between 6 and 15 characters (the 90s called, they want their password requirements back).

That got me googling and, while I couldn’t find much on vulnerabilities in the model I had purchased, I will be making use of Amazon’s generous return policy. Reports I found on other D-Link models (newer, more up to date ones) are terrifying. Even the Federal Trade Commission thinks that D-Link security sucks, yet its routers are ready and waiting for you to buy on Amazon. My question is why?

When I need something, I pretty much buy whatever Amazon recommends. So do many people. I’d like to think if Amazon is going to sell a product, that product is going to be safe. But right now, I want to go on Amazon and buy a replacement router that I can trust will be more secure than what they previously sold me and I have no easy way of knowing what to buy.

Should I trust the recommendations of Michael Horowitz at routersecurity.org or the recommendations made by LifeWire or just go out and buy the Symantec Core router as Trusted Reviews would seemingly have me do? I don’t know Michael Horowitz (though he seems to know what he is talking about), I have no idea who wrote the LifeWire post, and I don’t trust Trusted Reviews. But I do trust Amazon and I should be able to trust them not to sell me a piece of junk.

Critics will argue that Amazon is the “Everything Store”; they sell thousands of models of routers (1,149 in all) to meet the individual needs of their consumers. But very few consumers need or want an insecure router. For those that do, Amazon should treat them the same way Google treats a suspect website advising most consumers against the purchase (“back to safety”) but allowing the purchase to go through (“proceed with caution”).

Ultimately though, the problem with insecure routers (as with so many security problems) is that poor security isn’t a choice consumers make for themselves, it is a choice that vendors make for all of us. Insecure home routers have been a favorite target for botmasters this last year. By selling devices that are not secure out of the box, Amazon is making us all less safe online.

When I was in government, just about every task force that assembled to make recommendations on cybersecurity policy argued that the government should use its tremendous buying power to require companies to meet security standards. It was always a well-intentioned, if overly broad recommendation. But, you know who has more buying power than the federal government? Amazon. You know who should use it to make sure the products they sell to their customers are secure? You guessed it.